hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,240 Commits 1,671 Branches 157 Tags
codeql-cli-2.7.6
Commit Graph

1639 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
264f4ab5ab add js/session-fixation query 2021-11-03 13:04:41 +01:00
Erik Krogh Kristensen
d9a214767b add support for node-rsa 2021-11-02 14:45:33 +01:00
Erik Krogh Kristensen
2c013214f7 add Diffie-Hellman from the crypto library 2021-11-02 14:45:33 +01:00
Erik Krogh Kristensen
1df8ec2cae add insufficient key size model for node-forge 2021-11-02 14:45:33 +01:00
Erik Krogh Kristensen
62039b866c add cryptographic key model to the crypto-js library 2021-11-02 14:45:33 +01:00
Erik Krogh Kristensen
028799deb6 implement a simple InsufficientKeySize query 2021-11-02 14:45:30 +01:00
Asger Feldthaus
5f4c1dd19b JS: Support regexp-based path traversal check 2021-11-02 14:12:05 +01:00
Asger Feldthaus
83edcf515b JS: Add test for regexp-based sanitizer 2021-11-02 14:12:04 +01:00
Erik Krogh Kristensen
7a96b8e9e1 Merge branch 'main' into ldap 2021-11-02 12:47:28 +01:00
CodeQL CI
dde493259a Merge pull request #7003 from asgerf/js/mixed-this-fp 
Approved by erik-krogh
 2021-11-01 09:13:21 +00:00
Asger Feldthaus
d52b2bd863 JS: Fix FP in ˚MixedStaticInstanceThisAccess 2021-10-29 14:16:54 +02:00
Asger Feldthaus
afa6424d67 JS: Add test with FP 2021-10-29 14:16:54 +02:00
Erik Krogh Kristensen
4f6e5c903b filter out writes to number indexes 2021-10-28 14:27:07 +02:00
Erik Krogh Kristensen
12305aae42 extract regexp literals from string concatenations 2021-10-28 10:44:33 +02:00
Erik Krogh Kristensen
96b6f670d9 filter away paths that start with libary inputs and end with a fixed-property write 2021-10-27 21:01:11 +02:00
Erik Krogh Kristensen
a9a9e34265 recognize delete expresssions as a sink for js/prototype-polluting-assignment 2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen
2dedfb302a remove paths without unmatched returns from js/prototype-polluting-assignment 2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen
0c9c9bbde7 detect library input when the arguments object is converted to an array 2021-10-27 20:37:41 +02:00
Erik Krogh Kristensen
d1238dfd8b update alert message to distinguish between library input and remote flow 2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen
6e183af383 ignore test files for the `prototypeLessObject' predicate 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
e94b0f5913 recognize inclusion based sanitizers for js/prototype-polluting-assignment 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
2a808b2cd6 track taint through string coercions for js/prototype-polluting-assignment 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
2d65aa17db recognize exported functions that use the arguments object 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
78774233c7 add library input as source to js/prototype-polluting-assignment 2021-10-27 20:35:36 +02:00
Erik Krogh Kristensen
71cca6d644 Merge branch 'main' into ldap 2021-10-27 19:06:06 +02:00
Erik Krogh Kristensen
44afa34e37 Merge branch 'main' of github.com:github/codeql into htmlReg 2021-10-26 14:46:27 +02:00
Erik Krogh Kristensen
038438edca assume that setting the secure/httpOnly flag to some unknown value is good 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
311df4d2b7 add test for the cookie npm package 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
834d5ec6ad add session{key,id} as sensitive info 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
1e1e549847 update tests so it's clear which cookies are insecure 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
283b8231cb add more cookie models 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
2cb3d2c53f documentation overhaul on client-exposed-cookie (and restricting it to server-side) 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
ab23ffff3d documentation overhaul for clear-text-cookie 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
f36accf3e6 only report clear-text cookies for sensitive cookies 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
53b4337795 combine test files 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
6858acc6a9 port experimental cookie models to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
44db920f10 refactor, cleanup, and improvements in experimental cookie queries 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
6a9277b5ce recognize string sanitizers for ldap-injection 2021-10-01 09:01:29 +02:00
Erik Krogh Kristensen
2062afc868 add calls to parseDN as sinks for ldap-injection 2021-10-01 09:01:28 +02:00
Erik Krogh Kristensen
c55b7bcd85 model ldap filters as taint steps 2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen
9b5ff66b68 naively port tests from ldap examples 2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen
805d1d170c do not filter away regular expressions with lookbehinds 2021-09-22 17:14:29 +02:00
Erik Krogh Kristensen
99ed4a1a89 add a bad-tag-filter query for Python and JavaScript 2021-09-21 15:04:03 +02:00
CodeQL CI
220f2ded85 Merge pull request #6698 from asgerf/js/template-self-assignment 
Approved by esbena
 2021-09-15 01:08:39 -07:00
Asger Feldthaus
b5db4047a0 JS: Exclude template files in SelfAssignment 2021-09-15 08:59:47 +02:00
Erik Krogh Kristensen
8569d261f7 add test 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
05cc6bcf8a adjust regexp libraries to how unpaired surrogate are parsed now 2021-09-13 14:02:05 +01:00
Chris Smowton
f24d7c4212 Acknowledge new FPs due to the extractor using U+FFFD for unpaired surrogates 
These were already misinterpreted, but the ReDoS code ignored them as they previously appeared to be `?` characters.
 2021-09-13 14:02:05 +01:00
CodeQL CI
cd26d97dd7 Merge pull request #6549 from erik-krogh/moreDom 
Approved by asgerf
 2021-09-08 05:10:47 -07:00
CodeQL CI
b4963c7538 Merge pull request #6558 from erik-krogh/redosCasing 
Approved by esbena, yoff
 2021-09-02 12:20:08 +01:00